Fraud detection for software key recovery schemes means that, without knowing the session key, a third party can verify whether the correct session key could be recovered. This concept and a construction by so-called binding data was introduced by Verheul et al. at Eurocrypt '97 to provide for dishonest users that make simple modifications to messages, e.g., delete the key recovery information, and manipulate the recipient's software such that it decrypts messages even if the key recovery information is incorrect.We show how to break their general construction within their model, in particular without using any other encryption system or any pre-established shared secrets.We conclude that the concept of binding data does not improve the security of software key recovery but illustrates once more its fundamental problem: it does not improve an authorized third party's ability to eavesdrop on serious criminals.
[1]
Eric R. Verheul,et al.
Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals
,
1997,
EUROCRYPT.
[2]
Yvo Desmedt,et al.
Securing Traceability of Ciphertexts - Towards a Secure Software Key Escrow System (Extended Abstract)
,
1995,
EUROCRYPT.
[3]
Moti Yung,et al.
Escrow Encryption Systems Visited: Attacks, Analysis and Designs
,
1995,
CRYPTO.
[4]
Peter G. Neumann,et al.
The risks of key recovery, key escrow, and trusted third-party encryption
,
1997,
World Wide Web J..
[5]
David M. Balenson,et al.
Commercial key recovery
,
1996,
CACM.
[6]
Philip R. Zimmermann,et al.
The official PGP user's guide
,
1996
.
[7]
Lars R. Knudsen,et al.
On the Difficulty of Software Key Escrow
,
1996,
EUROCRYPT.